A year ago, presidents Barack Obama and Xi Jinping stood next to each other and declared that neither the U.S. nor Chinese governments “will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage.” Despite a great deal of warranted skepticism about the agreement initially, much of the heat surrounding cybersecurity in the bilateral relationship has dissipated. It is Russia, and the alleged hacks of the Democratic National Committee and World Anti Doping Agency, that now dominates the headlines and drives much of U.S. cybersecurity policy discussion.
When he announced the agreement, President Obama warned “We will be watching carefully to make an assessment as to whether progress has been made in this area.” The available evidence suggests that the overall level of Chinese-backed hacking has gone down. FireEye released a report in June 2016 that claimed the the number of network compromises by the China-based hacking groups it tracks dropped from 60 in February 2013 to less than 10 by May 2016. Absence of evidence is not the same thing as evidence of absence, and the Chinese may be becoming more stealthy and sophisticated in their attacks. Indeed FireEye noted that decline in number of attacks may be accompanied by a rise in the sophistication of attacks. U.S. Assistant Attorney General John Carlin confirmed the company’s findings that attacks were less voluminous but more focused and calculated. Chinese hackers may have shifted their focus to other targets. Kaspersky Labs reported Chinese hacking of Russian defense, nuclear, and aviation industries rose nearly threefold in the first seven months of 2016
A month after signing the agreement with the United States, China inked a similar deal with the United Kingdom, and, in November 2015, China, Brazil, Russia, the United States, and other members of the Group of Twenty accepted the norm against conducting cyber-enabled theft of intellectual property. The United States and China have also held two round of cyber talks between the U.S. Department of Homeland Security (DHS) and Chinese Ministry of Public Security (MPS), the first in December 2015, the second in June 2016. At these meetings, Washington and Beijing agreed on the guidelines for requesting assistance on cybercrime, discussed establishing a hotline, and conducted tabletop exercises. In August, the Ministry of Public Security reported that the hotline between DHS and MPS was up and running.
The shift in Chinese hacking seems to have been driven by external and internal forces. Over a two year span, the United States mounted an aggressive naming and shaming campaign, indicted five People’s Liberation Army (PLA) hackers, and, in the weeks before the September summit, hinted it would sanction Chinese individuals or entities that benefited from cyber-enabled theft. Xi Jinping’s anti-corruption campaign and the clamp down on criminal use of state resources as well as efforts to modernize the PLA and bring cyber operations under more centralized control may have also produced the decline in hacking.
Former National Security Agency official Dave Aitel argues that the Chinese move to a higher grade of hacking, and increased capabilities across the board, make it more likely that the United States and China will be able to cooperate in cyberspace. As Aitel puts it, “You don’t have to hack EVERYTHING if you can hack ANYTHING,” and this allows for collaboration on areas of shared interest.
I am less optimistic. Beijing and Washington do have shared interests in cybersecurity—preventing the proliferation of capabilities to non-state actors; limiting attacks that threaten global financial networks and the integrity of the internet—but it is very difficult to convert these shared concerns into concrete cooperation. Moreover, strategic mistrust is high between the two sides, and they remain divided over many other digital issues, including the free flow of information, internet governance, data localization, and how to best secure information technology products and supply chains. But Aitel is right that cooperation would certainly be nearly impossible if the high rates of theft of intellectual property were continuing. Let’s hope that the attacks on the private sector remain low, and that the United States and China can build on the agreement in other areas of cyberspace.